Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
bn_pep
Captain Captain
Captain
‎2020-04-27 19:13
434 views

WebInspect - Persistent XSS Vulnerable Sessions Verified and Reflection Audited - How to Enable

Jump to solution

In the WebInspect scan visualization, there two status bars, "Verified" and "Reflection Audited". These never show any activity other than something similar to "Verified: 0 of 200". 

We typically use the "Standard" scan policy with WebInspect. We are using version 19.2.

How are these checks enabled so that the Persistent and Reflected XSS are retested and audited?

Thanks!

Preview file
133 KB
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
ebell
Micro Focus Expert
Micro Focus Expert
‎2020-04-27 20:59

Jump to solution

Persistent is not enabled by default in the Standard policy. If you change the policy to Cross-Site Scripting (or enable in the Standard Policy) you will see values...as long as the site is vulnerable as well:

ebell_0-1588017542743.png

Here is a screenshot of the Standard policy showing where this is disabled:

ebell_0-1588017866677.png 

ebell_1-1588017918729.png

 

 

View solution in original post

0 Likes
Reply
Report Inappropriate Content
4 Replies
ebell
Micro Focus Expert
Micro Focus Expert
‎2020-04-27 20:00

Jump to solution

According to the documentation, here is a description of those values:

Verified

Number of persistent XSS vulnerable sessions verified / total number of persistent XSS vulnerable sessions to verify.

When persistent XSS auditing is enabled, Fortify WebInspect sends a second request to all vulnerable sessions and examines all responses for probes that Fortify WebInspect previously made. When probes are located, Fortify WebInspect will record links between those pages internally.
Reflection Audited

Number of persistent XSS vulnerable linked sessions audited / total number of persistent XSS vulnerable linked sessions to audit.

When persistent XSS auditing is enabled, this represents the work required for auditing the linked sessions found in the verification step for persistent XSS.
0 Likes
Reply
Report Inappropriate Content
bn_pep
Captain Captain
Captain
‎2020-04-27 20:05

Jump to solution
Hello, I do understand what they represent. I've never found a way to enable these checks. The auditing for these two progress bars is always zero for our scans. How to I enable these tests? I can't find anything in the scan settings. Are they enabled via a policy, or some other means?
0 Likes
Reply
Report Inappropriate Content
ebell
Micro Focus Expert
Micro Focus Expert
‎2020-04-27 20:59

Jump to solution

Persistent is not enabled by default in the Standard policy. If you change the policy to Cross-Site Scripting (or enable in the Standard Policy) you will see values...as long as the site is vulnerable as well:

ebell_0-1588017542743.png

Here is a screenshot of the Standard policy showing where this is disabled:

ebell_0-1588017866677.png 

ebell_1-1588017918729.png

 

 

View solution in original post

0 Likes
Reply
Report Inappropriate Content
bn_pep
Captain Captain
Captain
‎2020-04-27 21:13

Jump to solution
So, it's enabled in the policy. Thanks! That is what I needed to know!
0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.